Linux 安装docker ,安装私有镜像仓库 harbor,签发证书,并测试 harbor私有仓库

近期文章:

一. 安装 harbor 之前先安装docker

1.1 禁用 iptables 和 firewalld 服务

[root@master ~]# systemctl stop firewalld [root@master ~]# systemctl disable firewalld [root@master ~]# systemctl stop iptables [root@master ~]# systemctl disable iptables #清空防火墙规则 [root@master ~]# iptables -F  

1.2 禁用selinux

#临时关闭 [root@master ~]# setenforce 0  #永久关闭 [root@master ~]# sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config

1.3 修改主机名

[root@master ~]# hostnamectl set-hostname harbor  [root@harbor ~]# hostname harbor 

1.4 安装基础软件包

[root@harbor ~]# yum install -y  wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl-devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel  python-devel epel-release openssh-server socat  ipvsadm conntrack

1.5 配置docker-ce国内yum源(阿里云)

[root@harbor ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo  #如果yum-config-manager命令找不到,安装net-tools后在执行 [root@harbor ~]# yum install -y net-tools

1.6 安装docker依赖包

[root@harbor ~]# yum install -y yum-utils device-mapper-persistent-data lvm2

1.7 安装docker-ce

[root@harbor ~]# yum install docker-ce -y

1.8 启动docker服务

[root@harbor ~]# systemctl start docker && systemctl enable docker [root@harbor ~]#  systemctl status docker  ● docker.service - Docker Application Container Engine    Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)    Active: active (running) since 二 2023-06-20 00:07:12 CST; 11h ago      Docs: https://docs.docker.com  Main PID: 46686 (dockerd)     Tasks: 50    Memory: 63.8M    CGroup: /system.slice/docker.service

看到running,表示docker正常运行

1.9 查看docker版本

[root@harbor ~]# docker version

1.10 安装docker-compose (主要用于harbor安装和管理)

[root@harbor ~]# sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/bin/docker-compose [root@harbor ~]# chmod +x /usr/bin/docker-compose [root@harbor ~]# docker-compose version  注:  docker-compose项目是Docker官方的开源项目,负责实现对Docker容器集群的快速编排。 docker-compose的工程配置文件默认为docker-compose.yml, docker-compose运行目录下的必要有一个docker-compose.yml。 docker-compose可以管理多个docker实例

1.11 开启包转发功能和修改内核参数

内核参数修改:br_netfilter模块用于将桥接流量转发至iptables链,br_netfilter内核参数需要开启转发。

[root@harbor ~]#  modprobe br_netfilter [root@harbor ~]#  cat > /etc/sysctl.d/docker.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF [root@harbor ~]# sysctl -p /etc/sysctl.d/docker.conf  注: Docker 安装后出现:WARNING: bridge-nf-call-iptables is disabled 的解决办法: net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1  net.ipv4.ip_forward = 1: 将Linux系统作为路由或者VPN服务就必须要开启IP转发功能。当linux主机有多个网卡时一个网卡收到的信息是否能够传递给其他的网卡 如果设置成1的话 可以进行数据包转发,可以实现VxLAN 等功能。不开启会导致docker部署应用无法访问。  #重启docker [root@harbor ~]#  systemctl restart docker

二. 为 harbor 自签发证书

[root@harbor ~]# mkdir /data/ssl -p [root@harbor ~]# cd /data/ssl/

2.1 生成ca证书

[root@harbor ssl]#  openssl genrsa -out ca.key 3072 #生成一个3072位的key,也就是私钥 [root@harbor ssl]#  openssl req -new -x509 -days 3650 -key ca.key -out ca.pem #生成一个数字证书ca.pem,3650表示证书的有效时间是3年,按箭头提示填写即可,没有箭头标注的为空: [root@master ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
生成ca证书

2.2 生成域名的证书

[root@harbor ssl]# openssl genrsa -out harbor.key  3072 #生成一个3072位的key,也就是私钥 [root@harbor ssl]# openssl req -new -key harbor.key -out harbor.csr #生成一个证书请求,一会签发证书时需要的,标箭头的按提示填写,没有箭头标注的为空:
生成域名证书

2.3 签发证书

[root@harbor ssl]# openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650 #显示如下,说明证书签发好了: Signature ok subject=/C=CH/ST=BJ/L=BJ/O=Default Company Ltd/CN=harbor Getting CA Private Key

三. 安装 harbor

3.1 下载 harbor

[root@harbor ~]# cd /opt [root@harbor opt]# wget https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz

3.2 解压包,并修改配置文件

[root@harbor opt]# tar xvf harbor-offline-installer-v2.8.2.tgz [root@harbor opt]# cd harbor && cp harbor.yml.tmpl harbor.yml [root@harbor harbor]# vim harbor.yml hostname: reg.mydomain.com 修改为hostname: harbor   certificate: /your/certificate/path 修改为  certificate: /data/ssl/harbor.pem   private_key: /your/private/key/path 修改为  private_key: /data/ssl/harbor.key

3.3 安装 harbor

[root@harbor harbor]# ./install.sh   Note: docker version: 24.0.2  [Step 1]: checking docker-compose is installed ...  Note: Docker Compose version v2.18.1   Loaded image: goharbor/registry-photon:v2.8.2 loaded secret from file: /data/secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir  ......  Note: stopping existing Harbor instance ... [+] Running 10/10  ✔ Container nginx              Removed                                                                          0.1s   ✔ Container harbor-jobservice  Removed                                                                          0.1s     ✔ Network harbor_harbor        Removed                                                                          0.1s    [Step 5]: starting Harbor ... [+] Building 0.0s (0/0)                                                                                                [+] Running 10/10  ✔ Network harbor_harbor        Created                                                                          0.1s   ✔ Container harbor-log         Started                                                                          0.5s   ✔ Container registryctl        Started                                                                                                                                    2.3s   ✔ Container harbor-jobservice  Started                                                                          2.7s   ✔ Container nginx              Started                                                                          2.9s  ✔ ----Harbor has been installed and started successfully.----

至此安装成功

3.4 查看 harbor 服务状态

[root@harbor harbor]# docker-compose ps       Name                     Command                  State                             Ports                        ---------------------------------------------------------------------------------------------------------------------- harbor-core         /harbor/entrypoint.sh            Up (healthy)                                                      harbor-db           /docker-entrypoint.sh  13        Up (healthy)                                                      harbor-jobservice   /harbor/entrypoint.sh            Up (healthy)                                                      harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp                          harbor-portal       nginx -g daemon off;             Up (healthy)                                                      nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:80->8080/tcp,:::80->8080/tcp,                                                                                  0.0.0.0:443->8443/tcp,:::443->8443/tcp             redis               redis-server /etc/redis.conf     Up (healthy)                                                      registry            /home/harbor/entrypoint.sh       Up (healthy)                                                      registryctl         /home/harbor/start.sh            Up (healthy) 

服务都是正常的

3.4 遇到的错误 Network harbor_harbor Error

#按照文档不会有这个报错,我是安装好docker之后,再关闭防火墙,遇到了这个报错  ✘ Network harbor_harbor  Error                                                                                  0.0s  failed to create network harbor_harbor: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-4733c61275a3 -j RETURN: iptables: No chain/target/match by that name.   #方法 #这是因为在启动docker的时候防火墙做了策略,如果容器在运行中,停止防火墙,在操作容器就会报这个错误,我们可以重启docker解决此问题  systemctl restart docker.service #然后 docker-compose up -d 

3.6 在自己电脑修改hosts文件

在hosts文件添加如下一行,然后保存即可 192.168.5.135  harbor

3.7 如何停掉harbor

[root@harbor harbor]# cd /opt/harbor [root@harbor harbor]# docker-compose stop 

3.8 如何启动harbor

[root@harbor harbor]# cd /opt/harbor [root@harbor harbor]# docker-compose up -d #docker start启动,有时候nginx启动失败

3.9 harbor 图像化界面使用说明

在浏览器输入:

接收风险并继续,出现如下界面,说明访问正常

harbor 登录页面

账号:admin

密码:Harbor12345

输入账号密码出现如下

harbor项目页面

所有基础镜像都会放在library里面,这是一个公开的镜像仓库

新建项目->起个项目名字test(把访问级别公开那个选中,让项目才可以被公开使用)

harbor 新建项目
harbor新建项目成功

四. 测试使用 harbor 私有镜像仓库

4.1 修改docker配置,并重启docker

[root@harbor ~]# vim /etc/docker/daemon.json {  "registry-mirrors": ["https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","http://hub-mirror.c.163.com"], "insecure-registries": ["192.168.5.135","harbor"] #表示我们内网访问harbor的时候走的是http,192.168.5.135是安装harbor机器的ip } [root@harbor ~]# systemctl daemon-reload && systemctl restart docker [root@harbor ~]# systemctl status docker #显示如下,则说明启动成功了 Active: active (running) since 二 2023-06-20 00:07:12 CST; 10h ago 

4.2 命令行docker登录harbor(如果你有其他docker机器,可以内网远程登录)

[root@harbor ~]# docker login 192.168.5.135 Username: admin Password: Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store  Login Succeeded #登录成功 

4.3 docker 拉取tomcat镜像

我这里拉取dockerhub中的tomcat做测试

[root@harbor ~]#docker pull tomcat Using default tag: latest latest: Pulling from library/tomcat 0e29546d541c: Pull complete  9b829c73b52b: Pull complete  cb5b7ae36172: Pull complete  6494e4811622: Pull complete  668f6fcc5fa5: Pull complete  dc120c3e0290: Pull complete  8f7c0eebb7b1: Pull complete  77b694f83996: Pull complete  0f611256ec3a: Pull complete  4f25def12f23: Pull complete  Digest: sha256:9dee185c3b161cdfede1f5e35e8b56ebc9de88ed3a79526939701f3537a52324 Status: Downloaded newer image for tomcat:latest docker.io/library/tomcat:latest   #把tomcat镜像打标签 [root@harbor ~]# docker tag tomcat:latest  192.168.5.135/test/tomcat:v1 #执行上面命令就会把192.168.5.135/test/tomcat:v1上传到harbor里的test项目下 [root@harbor ~]# docker push 192.168.5.135/test/tomcat:v1 #执行上面命令就会把192.168.5.135/test/tomcat:v1上传到harbor里的test项目下 The push refers to repository [192.168.5.135/test/tomcat] 3e2ed6847c7a: Pushed  bd2befca2f7e: Pushed  59c516e5b6fa: Pushed  3bb5258f46d2: Pushed  832e177bb500: Pushed  f9e18e59a565: Pushed  26a504e63be4: Pushed  8bf42db0de72: Pushed  31892cc314cb: Pushed  11936051f93b: Pushed  v1: digest: sha256:e6d65986e3b0320bebd85733be1195179dbce481201a6b3c1ed27510cfa18351 size: 2422 

打开harbor控制台,查看

harbor测试项目

4.6 从 harbor 仓库下载镜像

# 在harbor机器上删除镜像 [root@harbor ~]# docker rmi -f 192.168.5.135/test/tomcat:v1 Untagged: 192.168.5.135/test/tomcat:v1 Untagged: 192.168.5.135/test/tomcat@sha256:e6d65986e3b0320bebd85733be1195179dbce481201a6b3c1ed27510cfa18351  #从harbor仓库再次拉取镜像 [root@harbor ~]# docker pull 192.168.5.135/test/tomcat:v1 v1: Pulling from test/tomcat Digest: sha256:e6d65986e3b0320bebd85733be1195179dbce481201a6b3c1ed27510cfa18351 Status: Downloaded newer image for 192.168.5.135/test/tomcat:v1 192.168.5.135/test/tomcat:v1   #从自己的harbor拉取镜像,速度是很畅快的